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CLAIMS 

What is claimed is: 

5 1. A method for certificate generation comprising the 

steps of : 

forwarding a request from a first node to a second 
node to generate a certificate, wherein said request 
includes a first identifier that identifies the first 
10 node; and 

in response to receipt of the request at the second 
node, generating a certificate that includes said first 
identifier . 

15 2. The method of claim 1 wherein said request further 

includes a second identifier that identifies a principal. 

3. The method of claim 2 wherein said certificate 
further includes a public key associated with said 

20 principal, and said second identifier. 

4. The method of claim 1 further including the step of 
authenticating said certificate by said second node. 

25 5. The method of claim 4 wherein said step of 

authenticating said certificate comprises the step of 
generating a certificate digitally signed by said second 
node . 
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6. The method of claim 5 wherein said step of 
generating said certificate signed by said second node 
comprises the step of generating a certificate digitally 
signed by said second node using a private key of a 

5 public private key pair associated with said second node. 

7 . The method of claim 1 wherein said certificate 
further includes a time stamp that identifies a time 
associated with the request. 

0 

8 . The method of claim 1 further including the step of 
authenticating said request by said first node. 



9. The method of claim 8 wherein said step of 
15 authenticating said request by said first node comprises 

the step of digitally signing said request. 



10. The method of claim 9 wherein said step of digitally 
signing said request comprises the step of digitally 

20 signing said request using a private key of a 

public/private key pair associated with said first node. 

11. The method of claim 1 wherein said certificate 
further includes a time stamp that is associated with a 

25 time and date when said request was received by said 

second node . 



12 . A method for determining whether access to a 
resource should be provided to a principal in response to 
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a request for access to the resource by the principal 
comprising the steps of: 

receiving said request for access to said resource 
from said principal at a server; 
5 verifying the authenticity of said request using a 

key contained within a certificate associated with said 
principal; 

determining whether a registration authority 
identifier within said certificate corresponds to a 
10 registration identifier contained on a certificate 

revocation list, wherein said registration authority 
identifier is associated with a registration authority 
that requested a certification authority to generate said 
certificate; and 

15 providing an indication to said server that said 

certificate has been revoked and denying access of said 
principal to said resource in response to a determination 
that said registration authority identifier within said 
certificate corresponds to a registration authority 

20 identifier on said certificate revocation list. 

13. The method of claim 12 wherein said determining step 
further comprises the step of determining whether a time 
stamp contained within said certificate that specifies a 

25 time of receipt of a request from said registration 

authority to the certification authority to generate the 
certificate corresponds to a period identified on said 
certificate revocation list during which the respective 
registration authority is indicated to be untrustworthy; 

30 and 
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said providing step comprises the step of providing 
said indication to said server that said certificate has 
been revoked and denying access of said principal to said 
resource in response to a determination that said 
5 registration authority identifier within said certificate 

corresponds to said registration authority identifier on 
said certificate revocation list and said time stamp 
within said certificate corresponds to a time within said 
period identified on said certificate revocation list 
10 during which said registration authority was indicated to 

be untrustworthy. 



14. The method of claim 13 wherein said period has a 
beginning point and an assumed ending point, said 
15 beginning point being specified by a time value contained 

within said certificate revocation list and the assumed 
ending point corresponds to a present time value. 



15. The method of claim 13 
20 beginning point and an ending 

being specified by a first 
point corresponds to a second 



wherein said period has a 
point, said beginning point 

time value and the ending 

time value. 



16. The method of claim 12 wherein said verifying and 
2 5 determining steps are performed by said server. 

17. A certification authority comprising: 

a memory containing a computer program for 
generating said certificate; and 
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a processor operative to execute said computer 
program, said computer program containing program code 
for: 

receiving a request from a registration 
5 authority to issue said certificate; and 

in response to receipt of said request, 
generating said certificate that includes at least 
a registration authority identifier associated with 
said registration authority. 

10 

18. The certification authority of claim 17 wherein said 
request to issue said certificate is an authenticated 
request and said computer program further includes 
program code for verifying said authenticated request. 

15 

19. The certification authority of claim 17 wherein said 
certificate generated by said computer program further 
includes a principal identifier associated with a 
principal and a key associated with said principal. 

20 

20. The certification authority of claim 17 wherein said 
computer program further includes program code for 
storing within said certificate a time stamp associated 
with a time when said certification authority received 

25 said request from said registration authority. 

21. A system for determining whether access to a 
resource should be provided to a principal in response to 
a request for access to the resource by the principal 

30 comprising: 
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a first server operative to receive a request for 
access to said resource from said principal, said first 
server being operative to verify the authenticity of said 
request using a key contained within a certificate 
5 associated with said principal, wherein said certificate 

includes at least a registration authority identifier 
associated with a registration authority that issued a 
request to a certification authority to issue said 
certificate; 

10 a second server containing a certificate revocation 

list, wherein said certificate revocation list includes 
said registration authority identifier in the event the 
associated registration authority has been determined to 
be untrustworthy, said second server being operative in 

15 response to a certificate revocation inquiry request to 

ascertain whether said certificate revocation list 
contains a registration authority identifier that 
corresponds to said registration authority identifier 
within said certificate; and 

20 said second server being further operative to 

provide an indication to said first server that said 
certificate has been revoked in the event said 
certificate revocation list contains said registration 
authority identifier that corresponds to said 

25 registration authority identifier within said 

certificate . 

22. The system of claim 21 wherein said first and second 
server comprise a single server. 

30 
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23. The system of claim 21 wherein said first server is 
further operative in response to receipt of said 
indication that said certificate has been revoked to deny 
said principal access to said requested resource. 

5 

24. The system of claim 21 wherein said certificate 
further includes a time stamp associated with a time when 
said certification authority received from said 
registration authority said request to issue said 

10 certificate on behalf of said principal; and 

wherein said certificate revocation list includes 
said reqistration authority identifier in the event the 
associated registration authority has been determined to 
be untrustworthy and at least one value defining a time 

15 interval during which said registration authority is 

deemed to be untrustworthy, 

said second server being operative in response to a 
certificate revocation inquiry request to provide a 
revocation indication if said certificate revocation list 

20 contains a registration authority identifier that 

corresponds to said registration authority identifier 
within said certificate and a time stamp associated with 
said registration authority identifier that is within 
said interval. 

25 

25. The system of claim 23 wherein said second server 
comprises a revocation server. 

26. The system of claim 25 wherein said revocation 
30 server is further operative in response to said 
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revocation indication to forward a certificate revocation 
message to said first server that indicates that said 
certificate has been revoked. 

5 27. The system of claim 26 wherein said first server is 

operative in response to said certificate revocation 
message to deny said principal access to said requested 
resource . 

10 28. A computer program product including a computer 

readable medium, said computer readable medium having a 
computer program stored thereon for generating a 
certificate, said computer program being executable by a 
processor and comprising: 

15 program code for receiving a request from a 

registration authority to issue a certificate on behalf 
of a principal; 

program code operative in response to recognition of 
said request, for generating by a certification authority 

20 a certificate authenticated by said certification 

authority wherein said certificate includes at least a 
principal identifier associated with said principal, a 
key associated with said principal for use in 
authenticating messages generated by said principal, and 

25 a registration identifier associated with said 

registration authority. 

29. The computer program product of claim 28 wherein 
said program code for generating said certificate is 
30 further operative to include within said certificate a 
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tirae stamp associated with a time or receipt by said 
certification authority of said request from said 
registration authority of said request to issue said 
certificate . 

5 

30. A computer data signal, said computer data signal 
including a computer program for use in generating a 
certificate, said computer program comprising: 

program code for receiving a request from a 
10 registration authority to issue a certificate on behalf 

of a principal; 

program code operative in response to recognition of 
said request, for generating by a certification authority 
a certificate authenticated by said certification 
15 authority wherein said certificate includes at least a 

principal identifier associated with said principal, a 
key associated with said principal for use in 
authenticating messages generated by said principal, and 
a registration identifier associated with said 
20 registration authority. 

31. The computer data signal of claim 30 wherein said 
program code for generating said certificate is operative 
to include within said certificate a time stamp 

25 associated with a time of receipt by said certification 

authority from said registration authority of said 
request to issue said certificate. 
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32. The computer data signal of claim 30 wherein said 
computer program further includes program code for 
publishing said certificate. 

5 33. The computer data signal of claim 30 wherein said 

program code for publishing said certificate includes 
program code for forwarding said certificate to a 
directory server. 

10 34. An apparatus for generating a certificate in a 

computer network comprising: 

means operative in response to receipt of a request 

from a first node coupled to a computer network at a 

second node coupled to said network for generating at 
15 said second node a certificate that includes a first node 

identifier associated with said first node. 

35. The apparatus of claim 34 wherein said request was 
initiated by a principal and said request includes a 
20 principal identifier associated with said principal and 

said certificate further includes said principal 
identifier and a public key associated with said 
principal . 

25 36. The apparatus of claim 34 wherein said certificate 

is authenticated by said second node. 

37. The apparatus of claim 34 further including means 
30 for comparing said first node identifier to a node 
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identifier associated with an untrustworthy node on said 
network that is contained within a certificate revocation 
list and providing an indication that said certificate is 
untrustworthy in the event said first node identifier 
matches said untrustworthy node identifier. 
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